On the morning of November 21, 2014, hackers sent Sony executives—who were gearing up for the release of Seth Rogen’s North Korea-bashing film, The Interview—a grim holiday greeting: “We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.” The hackers made good on their promise, unloading into the public sphere a trove of emails, personnel information, and all sorts of other data. Most of the actual damage involved disclosed personnel records and damaged celebrity reputations. Among other things, producer Mark Rudin called Angelina Jolie “a minimally talented spoiled brat” for delaying his film projects, and producer Amy Pascal called Leonardo DiCaprio “absolutely despicable” after he passed on a Steve Jobs biopic.
A few politicians focused on the Sony cyber attack’s political and economic implications. “It’s a new form of warfare that we’re involved in,” Senator John McCain told CNN’s State of the Union, “and we need to react and we need to react vigorously.” Senator McCain’s condemnation was in large part a response to President Obama’s earlier acknowledgement that, while certainly an act of “cyber vandalism,” the Sony cyber attack doesn’t quite qualify as an act of war. Mike Rogers, the Republican chair of the House Intelligence Committee, was more reserved in his assessment. “You can’t necessarily say an act of war,” he said in an interview with Fox News. Rogers identified the underlying legal problem when he admitted, “We don’t have good, clear policy guidance on what that means when it comes to cyber attacks.”
So what was the cyber attack on Sony: vandalism, warfare, or something else? And if that attack didn’t cross the line into warfare, what would?
“The term ‘act of war’ is a dated one,” says Michael N. Schmitt, director of the Stock Center for the Study of International Law at the United States Naval War College, and one of the foremost experts on cyber attacks. “‘Act of war’ was a more common term when Congress would declare war. But the Geneva Conventions of 1949 dispensed with the requirement that war be declared before the rules of war apply.” Today, lawyers seldom use the term.
When people ask whether a cyber attack is an act of war, according to Schmitt, what people really want to know is (1) when is a cyber attack an unlawful “use of force” under the United Nations Charter? and (2) when can the victim state respond with physical force because the cyber attack qualifies as an “armed attack” under the Charter? While the difference is nuanced and important to most of the world, the U.S. does not distinguish between the two. Schmitt directed a group of 20 experts in creating the Tallinn Manual, which seeks to clarify and, to the degree possible, answer that question in the cyber context. The Manual includes eight factors that states can use to assess whether a cyber attack constitutes a “use of force.” Those factors, simplified, ask the following questions:
- Severity: How much damage did the attack cause?
- Immediacy: How quickly the consequences of the attack manifest themselves.
- Directness: How many intermediate steps had to occur between the attack and the consequences?
- Invasiveness: How much security did the attack have to bypass in order to cause its results?
- Measurability of effects: How easy is it to measure the damage caused?
- Military character: How involved was the military in carrying out the attack?
- State involvement: How involved was the state in carrying out the attack?
- Presumptive legality: Was the attack more akin to a military act, or was it merely propaganda, espionage, or economic pressure?
So when would a cyber attack constitute an act of war? According to Schmitt and others, the only cyber attack that could have constituted an obvious armed attack was allegedly carried out by the U.S. and Israel.
Picture: Andersson18824 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)%5D, via Wikimedia Commons